139 posts categorized "podcasting"

January 23, 2014

We are about a month out from this years RSA Conference and related events. For those of you who write about security in blogs or media we are still accepting invite requests for this years Security Bloggers Meetup, which will be our biggest and best yet. If you have not gotten an invite and think you should, please go to: https://docs.google.com/forms/d/1ibXn64AzlOWF7LX5wsv4qMTTNvmkYX7xQu8Gqnei6iU/viewform to request one.

A reminder that though we have increased capacity this year, the meetup is still only open to bloggers and those who podcast or write about security. If you are invited, it doesn’t mean you can bring your marketing team, friends and anyone else. One of the things that has made the Bloggers Meetup as popular as it has become is the fact that it is by the bloggers, for the bloggers. So please don’t make Rich Mogull the bad guy ;-) If you are a blogger or podcaster, come hang out with your peers. Eat, drink and be merry.

I know many of you are asking when does voting for the Blogger Awards start. Well first of all sorry that it has taken this long to get the nominees up. We should have voting open in the next day or two. Stay tuned for info on this very soon. Voting will be open for two weeks and you will need to have a valid email address to be eligible.

November 20, 2013

My friend Mitchell Ashley reached out to me a few weeks ago and said “we had a great time when we used to do podcasts, we should do them again.” Well he didn’t have to twist my arm. Mitchell and I sat down to record a quick 20 minute show. We caught up with what he has been up to over the last few years. We also discussed the recent AWS re:Invent conference out in Las Vegas and how big public cloud and the Cloud in general has become.

We discussed DevOps, security automation and a bunch of other trends that Mitchell and I are seeing in the market. It was great having Mitchell back to podcast with again. We have already planned next weeks show which will feature a special guest as we discuss APT.

We mentioned a couple of links and articles in the podcast. Here are the links to these:

Mitchell’s blog post on CIO role: http://goo.gl/fzH5K The CIO Role - From Tech Manager to IT Services Broker

April 15, 2013

You were just hired as the Chief Information Security Office (CISO) of a mid-market one thousand employee company. Your first day on the job you are told that the company really hasn’t done anything about information security to this point. You need to submit your prioritized plan and budget by the end of the week! What do you do? This is exactly the scenario that Wendy Nather, Senior Research Director of 451 Research put to literally dozens of CISOs. What they picked, what they think it may cost and the actual cost may really surprise you. Wendy’s new report, “The Real Cost of Security” (warning this is not free unless you are a 451 client) details her findings and analysis.

I had a chance to sit down and chat with Wendy about the report and its findings for Network World. Below you can listen to our conversation where Wendy provides some detail and depth to the report.

Despite all of the buzz about new and more sophisticated attacks, it was surprising that for the top priorities the oft-maligned technologies of firewall and AV were most often picked. In fact of the top 7 choices among CISOs, almost all of them are tried and true traditional products. I guess the old “no one ever gets fired for buying IBM” is still true today. According to the report, these are the top 7 recommended technologies

Figure 1 courtesy of 451 Research

The difference between the purple and gold lines is those that would recommend the technology if all they had was enough for the bare minimum (purple) versus if they had a blank check (gold).

Beyond the top 7, the next tier of choices represent a little more diversity:

Figure 2 courtesy of 451 Research

What was interesting about these next 6 is the wider disparity between the gold and purple lines. This indicates that many CISOs considered these more of an optional choice, but not bare minimum.

I was surprised that App Security and App firewalls were not in the top tier of solutions, given that so many attacks today use Port 80 and Web Apps as their vector of choice.

Bringing up the rear in the survey were the following:

Figure 3 Courtesy of 451 Research

You can see here the very wide disparity between some the minimum requirements and blank check scenario. This plainly labels some of these technologies as “nice to haves” but not required. GRC, NAC and Risk Management and Analysis seem to fall into this category by the widest margin. I was disappointed to see Training have such a wide disparity between minimum and blank check. I think dollar for dollar, security awareness training for your organization is some of the most effective security you can buy.

Beyond picking what technologies to buy, the cost of security as detailed in the report may surprise you. 451 Research looked at not only the cost of the technologies (not easy getting prices out of vendors), but also added in the cost of actually running these security solutions. When the total cost was figured in at a minimum an organization is looking at a budget of $250k. A more realistic budget for a 1000 person organization is probably somewhere between $500k and $800k. If you went all the way, you are closer to $1.2m dollars for security! Another metric from the report is that most organizations have about one security admin for every 500 employees.

What about your organization? What technologies have you deployed and what you are planning to deploy? What is your budget? Do you match the 1 to 500 ratio? There is a ton of great info in this report if you buy it or are lucky enough to be a 451 Research customer.

My full conversation with Wendy is here:

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

February 25, 2013

RSA Conference is THE information security event of the
year. Kicking off my coverage of RSA this year is a series of podcasts I did with cloud/hosting providers who are exhibiting this year in the partner pavilion of Alert Logic.

My friends at Alert Logic have 5 of the largest hosting/cloud providers in the world exhibiting with them. I was curious why these cloud and hosting providers wanted to exhibit at a security conference.

The first provider I spoke with was Sunguard. Specicifally Sunguard Availability Services. I spoke with Cara Camping, Product Manager, Managed Security Services for
Sunguard AS. Cara talks about Sunguard's approach to security
in depth, why they partner with Alert Logic and what they expect from
exhibiting at RSA Conference.

June 27, 2012

Wanted to highlight a podcast that I published on Network World yesterday. It is about a company called Allgress, which recently emerged from stealth. Allgress helps with GRC and risk management. They have built the product based on the feedback and advice of some major CISOs, including Dave Cullanaine formerly from eBay.

I had a chance to sit down and talk with Jeff Bennet, President/COO of Allgress and Dave Cullanine, who needs no introduction to those of us in the security world.

Here are bios of Jeff and Dave:

Dave Cullinane

Dave Cullinane is a globally recognized leader and visionary in the IT security industry. He served for five years as a vice president and Chief Information Security Officer (CISO) for eBay, where he was responsible for global fraud, risk and security strategy and programs that provided security for eBay and its many global businesses, including StubHub, InternetAuction.co, and GSI Commerce. Prior to joining eBay, Dave was the CISO for one of the largest banks in the United States. He has more than 30 years of IT security experience and is a Certified Information Systems Security Professional (CISSP) and a former Certified Business Continuity Professional (CBCP).

Dave is a founding member and chairman of the board of the Cloud Security Alliance (CSA). He is the past president and chairman of the IT-ISAC, an organization dedicated to sharing security related information across companies in the IT industry. He served as a member of the IT Sector Coordinating Council and the National Council of ISACs. He is an ISSA Fellow, and was recently elected to the ISSA Hall of Fame. He serves on ASIS International's CSO Roundtable Committee and is on the Editorial Advisory Board of CSO Magazine and SC Magazine. He was awarded SC Magazine’s Global Award as Chief Security Officer of the Year for 2005 and CSO Magazine’s 2006 Compass Award as a “Visionary Leader of the Security Profession.” In 2012 he was awarded SecureWorld’s first Lifetime Achievement Award for his outstanding contributions to the advancement of the information security community.

Jeff Bennett

Jeff Bennet is the Founder, President and Chief Operating Officer Jeff Bennett brings almost two decades of business leadership, product development, and IT security and compliance industry experience to the company. A serial entrepreneur, he has founded and led several companies, including digital defense services firms SiegeWorks and SiegeWorks International. In 2006, FishNet Security, the nation's leading provider of information security solutions that combine technology, services, support and training, acquired SiegeWorks. Following the acquisition, Bennett served as executive vice president of services at FishNet. He has served on the advisory boards of other leading security providers. Bennett holds a Bachelor of Science Degree in Business Administration from California State University at Hayward.

June 01, 2012

With all of the talk around cloud and mobile, the real killer app for security may very well be identity and access control. There are some great open source solutions around access control, but at the enterprise level more functionality and scale are needed. Fox Technologies has developed that kind of application. I had a chance to sit down and talk with Fox Technologies CEO Subhash Tantry about how Fox is helping companies with both their security and compliance needs. If you are not familiar with Fox Technologies and access control solutions, you should really have a listen.

I am lucky to have two friends and really smart security folks joining me on the panel for the webinar:

Alex Hutton

Currently, Alex Hutton is a Director of Operational Risk Management for a financial institution in the United States. Included in his responsibilities are both information risk management and vendor management. In his past life he worked for the Verizon Business RISK Team. The Verizon RISK Team builds and hones the risk models for Cybertrust services, produces the Verizon Data Breach Investigation, the Verizon's PCI Compliance report, and is responsible for the VERIS data collection and analysis efforts.

Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the ISM3 security management standard, and work with the Open Group Security Forum.

Mike Murray has spent more than a decade helping companies large and small to protect their information by understanding their vulnerability posture from the perspective of an attacker. From his work in the late 90′s as a penetration tester and vulnerability researcher to leadership positions at nCircle, Neohapsis, and Liberty Mutual Insurance Group, his focus has always been on using vulnerability assessment through penetration testing and social engineering to proactively defend organizations. In addition to being in charge of advanced curriculum at The Hacker Academy, Mike is also a Managing Partner of MAD Security, LLC, where he leads engagements to help corporate and government customers understand and protect their security organization.

His years of experience as a vulnerability researcher and leader of research teams have convinced him that the most important system to focus on in information security is the human and organizational systems, and Mike has most recently focused on research into exploitation of those systems. Mike’s talks about how to build a great career in security have been seen at major conferences like RSA, Blackhat and Defcon, and his work on advanced social engineering has been widely recognized. Mike’s thoughts on security can be found on his blog at Episteme.ca and his work on helping build careers can be found at InfoSecLeaders.com.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

April 04, 2012

I am happy to report that the good folks at CompTIA have signed on to be a sponsor of the security bloggers network (SBN). Thanks very much to CompTIA!

If you are not familiar with CompTIA they offer a full range of IT certification courses including some excellent security certifications. Their newest certification is called CASP which is CompTIA Advanced Security Practitioner. It is a master level certification for people with significant experience in the field.

I had a chance to speak with Rick Bauer, director of research and development at CompTIA. We spoke about CompTIA, the different certifications they offer and the whole technical certification space.

If you are interested in achieving technical certifications you should certainly look at what CompTIA has to offer. In the meantime you can listen to my conversation with Rick below.

If you are interested in finding out more about CASP or other CompTIA certifications, click the banner to the right.

March 06, 2012

Living down here in South Florida, I am always excited to find out about security companies right here in my own backyard. About a month or so ago I came across Spectorsoft, where my old friend Jeani Park is now working. I don’t know how I missed Spectorsoft before. They have pioneered something they call user activity monitoring (UAM).

I am appearing on a webinar with Spectorsoft tomorrow at 2pm east coast time that will explore how UAM can help prevent data theft. If you are not familiar with Spectorsoft and UAM, you should definitely dial in to the webinar. It’s free of course and by attending you are eligible to win a new iPad3.

User Activity Monitoring allows IT Pros, Security Experts, HR, and Risk Managers to see what users and groups of users are doing. Capturing and replaying how people, departments, and divisions work, which applications and systems they are using, and how they communicate enables organizations to:

See who accesses, transfers, and alters protected or confidential information

Record and replay work activity to see which individuals and groups are most productive and efficient

Capture and review email, IM, and chat communications to be sure your Electronic Acceptable Use Policies are met

Sounds pretty comprehensive I know. I have seen the product in action and can tell you it really does work. Join us on the webinar tomorrow if you can!

January 23, 2012

Continuing my series of podcasts on all things Risk, I have another great one in this episode. I am joined by an all star panel of HD Moore, CSO of Rapid7 and founder of Metasploit, Ron Gula, CEO and CTO of Tenable Network Security and Jody Brazil, founder and President of Firemon. With that kind of talent, this is not just another Risk Podcast!

The four of us discuss some common mistakes people make in risk management. How vulnerability and pen testing figure into the Risk equation. We even manage to discuss scenario based risk management as exemplified in the Firemon Risk Analyzer.

Having smart people on the show makes my job easy and fun. This was a very easy and fun podcast. I hope you enjoy!